diff options
| author | Fedor Pchelkin <pchelkin@ispras.ru> | 2023-04-25 22:26:07 +0300 |
|---|---|---|
| committer | Kalle Valo <quic_kvalo@quicinc.com> | 2023-08-22 16:35:17 +0300 |
| commit | 454994cfa9e4c18b6df9f78b60db8eadc20a6c25 (patch) | |
| tree | bf7791a02e3d7360477f28bc78653c51bb231c8f /tools/perf/scripts/python/export-to-sqlite.py | |
| parent | b674fb513e2e7a514fcde287c0f73915d393fdb6 (diff) | |
wifi: ath9k: protect WMI command response buffer replacement with a lock
If ath9k_wmi_cmd() has exited with a timeout, it is possible that during
next ath9k_wmi_cmd() call the wmi_rsp callback for previous wmi command
writes to new wmi->cmd_rsp_buf and makes a completion. This results in an
invalid ath9k_wmi_cmd() return value.
Move the replacement of WMI command response buffer and length under
wmi_lock. Note that last_seq_id value is updated there, too.
Thus, the buffer cannot be written to by a belated wmi_rsp callback
because that path is properly rejected by the last_seq_id check.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230425192607.18015-2-pchelkin@ispras.ru
Diffstat (limited to 'tools/perf/scripts/python/export-to-sqlite.py')
0 files changed, 0 insertions, 0 deletions